CBC Decrypter decrypts the encrypted text but some of the text is replaced with random characters

Question

Lets say I've this base64 encrypted text: (Please understand this is all test data)

0Ns8cv7CHb0Pn/L1RPQEJjAaPJbBuhJxf9RCm3k/qG6DoNgd06jSgUwiaM/ym1Xc9DOBMyZvMNZQKwv/cgr9WGP4ogmqNguaM/zIOIh/GpMGCbTh+5UmP3x+La5eQKCmhim+nxVIBVzcaepUGUyjyPncu2RPQB8maA2AjgmqFb2tk3rcRozj8rTjcQcykxk2i7omhmt1FHBj4YBJoT4oc6B9bCUj8nhIZPCOj8T1z7A3MvZJwSmMa5rFnnozMCQ3no7lxORJQnN9d7gkLge1BAGwrxbXZapkuBx/juqTK3sJ46oiPDCdB0IzZ6Q1PZTrJPcWghOlQwfvHfKgu8kHtW2y2QskP+1uzVQBainXxcCHX7ZBq7Vhdl7n3WQjjok3P/A/6ELJa6qI9eL/NTfEavr7m0PVyrm6Zci4piK2Gjdz/LJZWEKbX6/wUq3pnDClQXAv1DV6g8P46H0p2ZCb0/WsbyZmgxuWYMx/KV8236IUQwY4ylyxnhCHpgHZAeM/CC9qgnMw6zjEtud+uWCx3iWZpQdOmxvaEVMQOQFte/PkUkXgH/9Z5nqJWoftKRcQSyC2+gl5ORgjA1GjbFcB5cr36DFj4su+whgKfyDHtCVVqFK+lIkcu2uLJQX7MwImuvKEAY48raCt8eE3qj2dfjK+dNhOfB8TbU4qAsRTVh7FtD0Hfto7sdVRLWAZRnqo7tHqD0R1LWkXg/VhxFGMnJkUxdJonlEFYLadUTI2PIr4acnpHcr6P91dTU+onXdFaYumeJrayrxBAujmXmAzZki+KrYyviORMlxmpK87ZJ2jP0psRx0hD+SlnHnX3o5nJVMCEPy1Gh9lbU3F4O2PtZ5edc7GEq8TFMoAXtRqL3qg2m/vfyrgzjbU9127pHvk4HNpF0ow9PlC3oi827npONncormAml5Ii+4sz5KF8aN1JEiqt5jvrRnbAOOcOCdCysl1jyDyapchdxcHKk/wmzFVrykkaehfoYYDIAMqzPaBCmGFjZ53eXwvjP2XrKaJDvS2DbIkHnT+G0/lv58fYzAGwDlyxqA/oetN+Y5WolmS6gJVaws4qSYKaqVmIdz4pP7xOQNP22qnnjAoB49A0aKpQfGkL3W8zppB3Qa3rtvK0piPemX3HbNLAdKFFBEh1+AEbYNyUE/EjdkkVEwIDayw6L3WurLTytPX+05kKSkfG9AmJzqYmd1y50UQ5GxQu7V65nRL73LBoVWxkUO/T+rnyILmQ8dh91HuMgXdLlH41gfiRzk4axZr7LlSnsXVODoBYUHLOZ273WtFnixmKYCyzdI7gPnwN/BPBpVScpymKO0RZcQjFEp3TBOpF14W0+2RqVl/d+OSmXzeA3j7yvZVeUU59KNSMZzebBI4U9kTu0koHDBJzNHItRkrqsjw3NobpK6JvWjWXatPU9ytJ0gX2smtWGuuzjr/asV0X4omKmovOCllMYh+xRICkSIYB8C6rZ/a8ToVusmA62E6W+61t27e5wN4TCrtq9w3e12kNhZ73T/l2GHKa1gEqV6hBFm/VBEgxdiCtJeerqkbuotmJVMzFpJ+s+NM+xfw2w8uyKUjJFX75nwwI4idhbTl

I've this IV: db64fa140a888b41

And this secret key: 62448f7b7128e8b55224dd667b7c1a7e

If I use this site https://www.devglan.com/online-tools/aes-encryption-decryption to decrypt it using CBC, 256 key size and base64 decrypt, I get the correct string which is:

"{\"totaldistance\":7.116600000000001,\"totaltraveltime\":9,\"fare\":{\"vehicle_list\":[{\"name\":\"Electric Limousine\",\"category_image\":\"image-1667907996681.png\",\"seat_count\":\"4\",\"unique_category_id\":6,\"available_for\":\"2\",\"schedule_before\":\"20\",\"schedule_upto\":\"10800\",\"nearest_driver\":{\"fare\":52,\"min_fare\":35},\"schedule_only\":true},{\"name\":\"Limousine\",\"category_image\":\"image-1667908122302.png\",\"seat_count\":\"4\",\"unique_category_id\":7,\"available_for\":\"2\",\"schedule_before\":\"20\",\"schedule_upto\":\"10800\",\"nearest_driver\":{\"fare\":48,\"min_fare\":32},\"schedule_only\":true},{\"name\":\"XL Limousine\",\"category_image\":\"image-1667907858244.png\",\"seat_count\":\"6\",\"unique_category_id\":13,\"available_for\":\"2\",\"schedule_before\":\"20\",\"schedule_upto\":\"10800\",\"nearest_driver\":{\"fare\":59,\"min_fare\":40},\"schedule_only\":true},{\"name\":\"Ameera Limousine\",\"category_image\":\"image-1667907336189.png\",\"seat_count\":\"4\",\"unique_category_id\":16,\"available_for\":\"2\",\"schedule_before\":\"20\",\"schedule_upto\":\"60\",\"nearest_driver\":{\"fare\":48,\"min_fare\":32},\"schedule_only\":true}]}}"

But whenever I use my CBC decrypt function with the same input, I get this decrypted text:

"��(|���\u000bҖ�\b�Dvltraveltime\\\":9,\\\"fare\\\":{\\\"vehicle_list\\\":[{\\\"name\\\":\\\"Electric Limousine\\\",\\\"category_image\\\":\\\"image-1667907996681.png\\\",\\\"seat_count\\\":\\\"4\\\",\\\"unique_category_id\\\":6,\\\"available_for\\\":\\\"2\\\",\\\"schedule_before\\\":\\\"20\\\",\\\"schedule_upto\\\":\\\"10800\\\",\\\"nearest_driver\\\":{\\\"fare\\\":52,\\\"min_fare\\\":35},\\\"schedule_only\\\":true},{\\\"name\\\":\\\"Limousine\\\",\\\"category_image\\\":\\\"image-1667908122302.png\\\",\\\"seat_count\\\":\\\"4\\\",\\\"unique_category_id\\\":7,\\\"available_for\\\":\\\"2\\\",\\\"schedule_before\\\":\\\"20\\\",\\\"schedule_upto\\\":\\\"10800\\\",\\\"nearest_driver\\\":{\\\"fare\\\":48,\\\"min_fare\\\":32},\\\"schedule_only\\\":true},{\\\"name\\\":\\\"XL Limousine\\\",\\\"category_image\\\":\\\"image-1667907858244.png\\\",\\\"seat_count\\\":\\\"6\\\",\\\"unique_category_id\\\":13,\\\"available_for\\\":\\\"2\\\",\\\"schedule_before\\\":\\\"20\\\",\\\"schedule_upto\\\":\\\"10800\\\",\\\"nearest_driver\\\":{\\\"fare\\\":59,\\\"min_fare\\\":40},\\\"schedule_only\\\":true},{\\\"name\\\":\\\"Ameera Limousine\\\",\\\"category_image\\\":\\\"image-1667907336189.png\\\",\\\"seat_count\\\":\\\"4\\\",\\\"unique_category_id\\\":16,\\\"available_for\\\":\\\"2\\\",\\\"schedule_before\\\":\\\"20\\\",\\\"schedule_upto\\\":\\\"60\\\",\\\"nearest_driver\\\":{\\\"fare\\\":47,\\\"min_fare\\\":31},\\\"schedule_only\\\":true}]}}\"\u000b\u000b\u000b\u000b\u000b\u000b\u000b\u000b\u000b\u000b\u000b"

I'm using this decrypt function:

func DecryptCBC(key, ciphertext []byte, iv string) (plaintext []byte, err error) {
    var block cipher.Block
    ciphertext, err = b64.StdEncoding.DecodeString(string(ciphertext))
    if block, err = aes.NewCipher(key); err != nil {
        return
    }

    if len(ciphertext) < aes.BlockSize {
        fmt.Printf("ciphertext too short")
        return
    }

    ciphertext = ciphertext[aes.BlockSize:]

    cbc := cipher.NewCBCDecrypter(block,[]byte(iv))
    cbc.CryptBlocks(ciphertext, ciphertext)

    plaintext = ciphertext

    return
}

What am I doing wrong?

I have tried not passing the vector and do this:

iv := ciphertext[0:aes.BlockSize]

But it's returning the same result.

The encrypted text is returned from a third party API, which also provides the secret key and token from a different API.

Answer 1

The fact that the ciphertext is correctly decrypted by entering it, the IV, and the key into the appropriate boxes on the linked website tells me that the IV is not transmitted with the ciphertext, and therefore that decryption should start at the first byte of ciphertext rather than the 16th. So remove the line

    ciphertext = ciphertext[aes.BlockSize:]

and I'd expect you'll get the correct answer. Because the hex-encoded IV and key are used as is rather than hex-decoded, there is at most only half as much entropy in each. I'm not aware of any weakness of having a 256-bit AES key with only 128 bits of entropy but I'd rather not see an IV with only 64 bits of entropy. In any event, this is something that's decided by the encrypting party and not necessarily something you can control.